Ethernet over VPN (Layer2 Over WAN)

For some organizations with many distributed remote offices (branches, or retail outlets, such as retail chains or F&B companies), the remote networks are usually connected back to the HQ network via layer 3 IP networks, either through the public Internet, MPLS, or private leased-line, etc. But sometimes it may be desirable to connect remote sites “seamlessly” as if the sites are directly connected via an Ethernet cable and sit in the same layer-2 Ethernet network (eg. emulated Metro-E backbone network).

.

There are a few options to achieve such objectives.
  1. Some service providers offers Metro-Ethernet service, which can be expensive.
  1. Another option is to use L2TPv3 tunneling to connect remote sites over Layer3 IP networks (eg. public Internet). This can be a alternative method and very cost-effective. mbox products support such feature (see more details here).
  1. However, L2TPv3 is a site-to-site tunnel that requires both end points to have static IP addresses, which may not always be feasible. For example, many small remote outlets typically subscribe for cheaper dynamic Internet lines, and they may even connect over mobile backhaul (3G|4G|5G/LTE), or a combination of both for redundancy. In such scenarios, running “Ethernet over SSLVPN” will offer flexibility, using HSA/UA together with CMG across any type of ISP networks.

.

To achieve “Ethernet over SSLVPN“, we will use a few built-in features from mbox CMG and HSA | UA product families:
  1. SSLVPN, allows remote sites to connect back to HQ using either static or dynamic IP lines (or even from behind a firewall). See more details.
  1. Multi-WAN, to provide redundancy for ISP links. Especially HSA-500-L2 comes with dual LTE support, and we can make use of Multi-WAN for bonding and auto-failover. See more on Multi-WAN, and learn how to configure Multi-WAN on HSA here.
  1. Ethernet bridging, to bridge SSLVPN tap tunnels with CMG & HSA/UA LAN interfaces, so the layer2 Ethernet networks are extended across IP SSLVPN tunnels as if they’re connected via an Ethernet cable. See more on Ethernet bridging.

.

Image 1: Ethernet Over VPN topology

.

In this section, we’re going to use CMG and HSA/UA to demonstrate this feature.

To configure a few key points to NOTE:

1. SSLVPN must run on tap mode (layer 2 tunnel).

2. Only one network (or one VLAN) per VPN instance is supported. Each VPN instance/tab bridges with one Ethernet segment.

3. If you need to support multiple VLANs, eg. multiple Ethernet segments across IP, you can run multiple instances of SSLVPN on both CMG and HSA, with each tap (instance of VPN) bridged to its respective VLAN. Alternatively, you can use the L2TPv3 tunnel (one tunnel trunking for multiple VLANs).

4. On CMG, assign tap and eth1 (LAN) in the same bridge group.

5. On HSA/UA, assign tap interface to br-lan (br-eth1) bridge.

6. (optional) Assign VPN tunnel pool to tap interfaces. It’s not necessary to assign IP addresses to tap interfaces, since the tap interfaces are like virtual “Ethernet” cables. But optionally you may want to do that so that you can ping the tap interfaces between HSA/UA, and CMG for connectivity tests only.

7. (optional) Configure Multi-WAN on HSA/UA for link redundancy.

Prerequisite

Provision Gateway device and map to Entity. Refer to Add Host to Target Entities and New Gateway

NOTE

Add Gateway device with default Topology Template > Click the mac address of the Gateway and Click on button to save the config to the device.

  1. User can navigate to ‘ORCHESTRATOR > Configuration > Gateway, click on the mac address below the ‘Gateway‘ column
  2. Navigate to ‘Interface & DHCP‘ tab and click on ‘VLAN‘ (vlan10@eth1 – 10.10.10.1/24).
Image 2: VLAN interface configuration
  1. To add ip address, user can click on button, to add ip address.

The fields of the VLAN Interface List are explained below:

S/NFieldsValues
01.VLANvlan10
02.Main Interfaceeth0
03.Admin StatusEnable (tick)
04.IPv4 Address10.10.10.1/24 | Join SD-WAN – Enable (tick)
05.DescriptionVPN Network
Table 1: VLAN Interface configurations values

.

  1. User can click on the next tab (DHCP Server) to configure DHCP settings for the VLAN.
Image 3: VLAN DHCP Server configuration interface

The fields of the VLAN DHCP Server List are explained below:

S/NFieldsValues
01.DHCP ServerEnable (tick)
02.DHCP Pool RangeStart: 10.10.10.10
End: 10.10.10.254
03.DHCP DescriptionVLAN10_ DHCP
Table 2: VLAN DHCP Server configurations values

.

  1. Configure firewall input rule (UDP)
    • firewall-input <rule no> permit all udp dport <port no> | ex: firewall-input 200 permit all udp dport 144
  1. Navigate to ‘SD-WAN > SSL-VPN‘ menu to configure the Gateway VPN Instance
Image 4: SSL VPN instance interface

  1. Click on button, to configure VPN instance.
Image 5: SSL VPN instance configuration interface

The fields of the SSL VPN instance list are explained below:

S/NFieldsValues
01.VPN Instance ID *1
02.Server Public Address / VPN Port *<Server URL or IP address>
VPN Port: 1446
03.Tunnel Pool Network/Prefix10.1.1.0/24
04.VPN Topology *L3 VPN
05.Encryption OptionsDefault Encryption
06.Other OptionsTAP Mode
Client-to-Client
07.StartEnable (tick)
Table 3: SSL VPN instance configurations values

  1. Click on the button and the button.
  2. Click on the button to push the configuration to the Gateway device.

Prerequisite

Provision remote host and map Host’s to Entity. Refer to Add Host to Target Entities and New SD-Branch.

  1. User can navigate to ‘ORCHESTRATOR > Configuration > SD-Branch, click on the mac address below the ‘Branch‘ column.

NOTE

Add SD-Branch device with default Topology Template > Click the mac address of the Branch and Click on button to save the config in the device.

  1. Navigate to ‘Interface & DHCP‘ tab and click on ‘VLAN‘ (vlan10@eth1 – 10.11.11.1/24).
Image 2: VLAN interface configuration
  1. To add ip address, user can click on button, to add ip address.

The fields of the VLAN Interface List are explained below:

S/NFieldsValues
01.VLANvlan10
02.Main Interfaceeth1
03.Admin StatusEnable (tick)
04.IPv4 Address10.11.11.1/24 | Join SD-WAN – Enable (tick)
05.DescriptionVPN Network
Table 1: VLAN Interface configurations values

.

  1. User can click on the next tab (DHCP Server) to configure DHCP settings for the VLAN.
Image 3: VLAN DHCP Server configuration interface

The fields of the VLAN DHCP Server List are explained below:

S/NFieldsValues
01.DHCP ServerEnable (tick)
02.DHCP Pool RangeStart : 11.11.11.11
End : 11.11.11.254
03.DHCP DescriptionVLAN10_ DHCP
Table 2: VLAN DHCP Server configurations values

.

Configure VPN instance in Branch.

  1. Navigate to ‘SD-WAN > SSL-VPN‘ menu.
Image 4: SSL VPN instance interface
Image 5: SSL VPN instance configuration interface

The fields of the SSL VPN instance list are explained below:

S/NFieldsValues
01.Instance ID *<From the drop-down, select the created Gateway Instance>
02.Other OptionsSelect [Tunnel tracking:] option
03.EnableEnable (tick)
Table 3: SSL VPN instance configurations values

  1. Click on the button and the button at the bottom.
  2. Click on the button to push the configuration to the Gateway device.